Rake Narang: Should organizations be concerned about the security of cloud applications? What specifically are the threats they should be worried about?
Pravin Kothari: Absolutely. If you pay close attention to your contracts with the cloud provider, you will notice that most of them explicitly limit their liability and accountability to ensuring the security of your data.
CipherCloud is a member of the Cloud Security Alliance (CSA), an organization that has done a great job outlining the key threats to cloud computing. These include:
- Insecure Interfaces & APIs: Examples include anonymous access and/or reusable tokens or passwords, clear-text authentication or transmission of content, inflexible access controls or improper authorizations, and limited monitoring and logging capabilities.
- Malicious Insiders at Cloud Provider: The threat of a malicious insider, which is well known to most organizations, is amplified in a cloud environment due to lack of transparency into provider processes and procedures.
- Shared Technology Vulnerabilities: These concerns stem from multi-tenant environments where the underlying infrastructure (CPU, memory, databases, etc.) is shared across many organizations. A small bug (malicious or accidental) can allow customers to access other tenants’ actual or residual data, network traffic, etc.
- Data Leakage: This can result from insufficient data access, authorization and encryption controls.
- Account Hijacking: Attack methods include phishing, fraud, and malware where credentials and passwords are often reused, which amplifies the impact of such attacks.
Ultimately, many of these concerns arise due to inadequate visibility and control. Cloud vendors do not always disclose the details of how their services work, which third-party partners they use, and exactly where data is located, including all copies and backups.
Rake Narang: What is a cloud encryption gateway? How does it work? Which type of organizations need one? Are there certifications that are important?
Pravin Kothari: Encryption is a typical solution for data confidentiality and integrity requirements. However, traditional encryption methods (encryption provided at database and storage layers) that worked well inside organizations no longer work for the cloud applications because encryption keys reside with cloud providers and data remains in clear at the application and API layers—they’re exposed to all the cloud threats we discussed earlier. As the traditional encryption methods have failed to address complex problems in the evolving cloud environment, emerging companies like CipherCloud are providing innovative solutions to address these key challenges.
Encryption gateways, like CipherCloud’s, take a different approach. They allow organizations to retain complete control over their data in the cloud by applying strong encryption, in real-time, before sensitive data leaves the enterprise, using keys that are retained and managed by the enterprise at all times. The encryption provided is operations-preserving to not impact the application functionality and usability. Since the data is strongly encrypted before leaving the enterprise, it remains protected from all the external and cloud threats.
This technology is particularly important for organizations that must adhere to strict regulations, and for organizations that do business in countries with strict data residency laws. However, any organization that stores sensitive customer data in the cloud needs to take a close look at using these types of solutions to comply with their own internal security policies.
When organizations look at encryption solutions, one of the most important standards is FIPS 197—that’s the Federal Information Processing Standard created by the National Institute of Standards and Technology (NIST). Organizations shouldn’t settle for anything less.